Bugtraq mailing list archives

Re: Anti Virus Mailscanners DOS

From: kragen () pobox com (Kragen Sitaker)
Date: Tue, 26 Feb 2002 16:52:29 -0500 (EST)

David Skoll writes:

In general, you cannot check the size of compressed files without
uncompressing.  For example, with a tar.gz, you have to uncompress
the whole thing.


No you don't.  Assuming GNU head:

gzip -dc foo.tar.gz | head --bytes=10m | tar xvf -

The equivalent for a zip file might be more difficult, but not much.

...
So because you can get around scanners which limit the size of the
scan, and you can DoS scanners which do not limit the size, you might
as well not bother scanning compressed or archived files at all, except
under manual control.


Or you can implicitly deny anything that is not explicitly allowed,
i.e. bounce the mail if it chokes your virus scanner.

-- 
/* By Kragen Sitaker, http://pobox.com/~kragen/puzzle2.html */
char a[99]="  KJ",d[999][16];main(){int s=socket(2,1,0),n=0,z,l,i;*(short*)a=2;
if(!bind(s,a,16))for(;;){z=16;if((l=recvfrom(s,a,99,0,d[n],&z))>0){for(i=0;i&n;
i++){z=(memcmp(d[i],d[n],8))?z:0;while(sendto(s,a,l,0,d[i],16)&0);}z?n++:0;}}}

Current thread:

Re: Anti Virus Mailscanners DOS David F. Skoll (Feb 28)
- <Possible follow-ups>
- Re: Anti Virus Mailscanners DOS Lars Hecking (Feb 28)
- Re: Anti Virus Mailscanners DOS Eduardo R. Maciel (Feb 28)
- Re: Anti Virus Mailscanners DOS Kragen Sitaker (Mar 01)
- Re: Anti Virus Mailscanners DOS Paul L Daniels (Mar 01)
- Re: Anti Virus Mailscanners DOS arivanov (Mar 01)